Crash Data

Security

(public)

User Story

AaronMT just saw an odd situation in which both desktop and Android starting receiving invalid-client-state errors from the server.
This might well be a server bug, but still, there are things we should do better:
* On receiving invalid-client-state, either immediately or after a number of retries, transition to Separated, not Cohabiting.
* Ask the user for credentials, persisting a derivative of the old credentials to determine whether the user re-entered the old ones. If they entered the old ones again, there's no point continuing to ask; enter the Android account hard error state and be done.
There's a balance here between detecting a "real" problem -- perhaps the user's key changed elsewhere, and i-c-s is accurate -- and being robust against some kind of transient error.

Per Bug 985611, it looks like something made a request to this account with an empty X-Client-State header. This "should never happen" but clearly it has. I'll file some bugs about server-side mitigation to prevent this in future.
You should be able to get the account out of this stage by resetting your password. We'll work on a slightly less brutal recovery path.

(In reply to Ryan Kelly [:rfkelly] from comment #6)
> You should be able to get the account out of this stage by resetting your
> password. We'll work on a slightly less brutal recovery path.
Confirmed working now by doing so.